[Samba] Cannot set Windows ACL security permissions Ubuntu 18.04 LXD privileged container

Jonathan Kreider jonathan.kreider at gmail.com
Wed Sep 12 00:14:58 UTC 2018 

I'm tying to set up a member server for serving files following the
instructions at:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs.

Since I'm not an expert with log files or debugging, I need help
troubleshooting the following:

When I get to the part where I connect to the member server from the
Windows Computer Management tool, I get a long message starting with
"Computer FS3.MYDOM.COM cannot be connected. ..."

But then the tool connects anyway and lets me change the "Share
permissions" settings. I can add and delete groups here.

But when I click on the security tab I get a message "You must have read
permissions to view the properties of this object."  Other times, the tab
has displayed properly and allowed me to add groups and change permissions,
but then it won't allow me to save the changes.

Shared directory permissions:
drwxrwxrwx  2 root   KMS2\domain admins  2 Sep 11 22:40 shared/

testparm output:
# Global parameters
[global]
        dns proxy = No
        log file = /var/log/samba/log.%m
        map to guest = Bad User
        max log size = 1000
        panic action = /usr/share/samba/panic-action %d
        realm = KMS2.SAMDOM.COM (sanitized)
        security = ADS
        server role = member server
        server string = %h server (Samba, Ubuntu)
        username map = /etc/samba/user.map
        winbind refresh tickets = Yes
        workgroup = KMS2
        acl_xattr:default acl style = windows  (tried with and without -
could not tell a difference)
        acl_xattr:ignore system acls = yes     (tried with and without -
could not tell a difference)
        idmap config kms2 : range = 10000-19999
        idmap config kms2 : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr

[printers]
        browseable = No
        comment = All Printers
        create mask = 0700
        path = /var/spool/samba
        printable = Yes

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

[Shared]
        path = /home/shared
        read only = No
        acl_xattr:default acl style = windows  (tried with and without -
could not tell a difference)
        acl_xattr:ignore system acls = yes  (tried with and without - could
not tell a difference)

Environment: Ubuntu 18.04 in an LXD privileged container on a Ubuntu 16.04
host
Samba Version = 4.7.6 (what ships with Ubuntu 18.04 by default)
AD DC = Samba 4.3.11 on Ubuntu 16.04 LTS inside a LXD privileged container
on the same host as above.
Second AD DC = Samba 4.7.6-Ubuntu on Ubuntu 18.04 inside a privileged
container on same host.

The underlying file system is zfs-on-linux and in all cases I set the
following zfs attributes:
xattrs=sa
aclinherit=passthrough
acltype=posix

A member server fs3 w/Samba 4.7.6-Ubuntu also privileged on the same host.
All workstations on the network are successfully joined to AD.
Windows OS = 10 1803, But RSAT is 17xx b/c the RSAT 1803 doesn't have the
DNS tools. so I had to downgrade.

All containers are "privileged" b/c samba NTACLs use the "security"
namespace which requires root privileges. This seems to work for the AD DCs
- I can't get the AD DCs to work in unprivileged mode.

More information about the samba mailing list